MiCA Survival Guide · Section 7
The Application Execution Playbook
Step-by-step timeline and checklist
Pre-application readiness assessment (Month -6 to -3)
P1
Business model & jurisdiction
Define scope and select jurisdiction
- Define service scope (custody, exchange, trading platform?)
- Asset classes (Bitcoin/Ethereum only, or broader?)
- Customer segments (retail, institutional, or both?)
- Jurisdiction selection based on: regulator experience, processing speed, banking availability
- Top recommendations: Germany, Netherlands, Luxembourg
P2
Capital & legal structure
Establish entity and secure capital
- Minimum capital: €50,000–€150,000 (based on services)
- Local entity incorporation (3-6 weeks)
- Banking relationships (start immediately — takes 2-6 months)
P3
Technology stack finalization
Select and implement platform
- Evaluate 2-3 platform vendors (use framework in Section 6)
- Request demos with MiCA-specific focus
- Check reference customers in target jurisdiction
- Prioritize: integrated platform over multi-vendor
- Ensure: Fireblocks custody, TRM Labs/Elliptic analytics, Travel Rule
- Timeline: 6-12 weeks for platform setup
P4
Governance & team assembly
Build management structure
- At least one EU-resident director (mandatory)
- Physical office in application jurisdiction (no virtual)
- Minimum team: compliance officer, risk manager, operations
- Critical: Staff must be hired before application submission
Application documentation assembly (Month -3 to -1)
Complete documentation checklist
Core Documents
Core documentation
- Business plan & program of operations: services provided, revenue model, 3-year projections, target customers, market analysis.
- Organizational structure: detailed org chart with names and roles, management body composition.
- Capital adequacy documentation: calculation of minimum capital, bank statements proving capital in company account, insurance policies (if using insurance option).
AML/CFT Framework
AML/CFT framework
- AML/CFT policies & procedures: customized to local AML Act, KYC procedures, Enhanced Due Diligence for €10,000+ transactions, PEP screening (including domestic PEPs), sanctions screening (EU, UN, OFAC).
- Transaction monitoring procedures: documented scenarios (structuring, velocity, geographic risk, etc.), risk-scoring methodology, alert investigation procedures, SAR filing process.
- Travel Rule implementation: documented VASP screening process, originator/beneficiary data collection procedures, self-hosted wallet verification (for >€1,000), evidence of technical implementation (Notabene, Sygna Bridge).
IT & DORA
IT & DORA documentation
- ICT risk management framework: digital operational resilience strategy, ICT asset inventory (all systems, all vendors), protection and prevention measures (MFA, encryption, etc.), documented ICT change management.
- ICT third-party register: complete list of all ICT vendors with service descriptions, locations of data processing, SLA agreements, incident notification procedures, exit strategies.
- Business continuity & disaster recovery: business impact analysis, Recovery Time Objectives (RTO) for each critical function, backup policies and procedures, redundancy systems, documented testing procedures.
- Digital resilience testing program: annual testing plan, penetration testing schedule (TLPT if applicable), vulnerability assessment procedures.
Custody & Operations
Custody & operational procedures
- Custody policies: key management lifecycle (generation, storage, rotation, deletion), cold/hot storage allocation methodology, multi-signature or MPC implementation, asset segregation procedures (client vs. firm).
- Asset safeguarding & segregation: documented segregation on blockchain (separate addresses), register of positions (per-client entitlements), quarterly statement procedures, proof-of-reserves methodology.
- Business continuity for custody: key backup and recovery procedures, disaster recovery for custody operations, geographic redundancy, insolvency protection for client assets.
Governance
Governance & control
- Internal control framework: risk management policies (market, operational, credit, legal, tech), compliance function charter, internal audit procedures.
- Conflicts of interest policy: identified potential conflicts (especially if vertically integrated), information barriers between business lines, employee trading restrictions.
- Customer protection procedures: complaints handling (digital filing system, response timelines), fair pricing and execution, marketing communications policy (clear, fair, not misleading).
Application review period (Month 1-4)
Common regulator questions by category
Business model questions
- "Explain your exact revenue generation mechanism for each service."
- "Provide projected expenses and path to profitability over 3 years."
- "Clarify your target customer segments and addressable market."
Governance & substance questions
- "Confirm the physical address of your operational office."
- "Provide employment contracts for all key personnel."
- "Explain where executive directors reside and their daily responsibilities."
AML/CFT questions
- "Demonstrate how your transaction monitoring system functions in real-time."
- "Provide evidence of TRM Labs/Chainalysis integration."
- "Explain your Travel Rule implementation for transfers to specific VASPs."
IT & DORA questions
- "Provide your complete ICT third-party register with SLA agreements."
- "Demonstrate your disaster recovery procedure for custody systems."
- "Explain your process for ICT incident classification and reporting."
Custody questions
- "Provide detailed key management lifecycle documentation."
- "Explain your cold/hot storage allocation methodology with rationale."
- "Demonstrate asset segregation on blockchain (sample customer addresses)."